VDAI – €110 Fine (Lithuania, 2021)

The Controller is the operator of a platform for short-term car rental: “CityBee”. It was made aware by another company that provides cyber-security services, that CityBee’s customer data of 110,302 users was published on the website RaidForums.com. The controller notified the DPA, who conducted an investigation. The DPA found out that the personal data was retrieved from an unprotected database backup BACPAC file (DB file), and contained the following: name, address, telephone number, e-mail address, personal identification number, driving license number, type of payment card and the last four digits of the number, the expiration date of the payment card, and the user identifier (token) in Braintree (software for online payments). This DB file was created on 27 February 2018, and access to the file was suspended on 16 February 2021. Hence, the DPA concluded that the personal data breach existed for this entire period. The DPA found that a number of organisational and technical security measures were missing: there was no competent person responsible for security and risk management, no logs were kept of access and changes to the DB files, the DB file was stored unencrypted, the passwords in the DB file had a weak encryption (SHA-1) and easy to retrieve by persons with technical knowledge, and users could make passwords that did not comply with the requirements as set out in the company’s IT security policy. Lastly, the controller did not assess and manage the risks associated with the loss of the DB file, since it was not even aware of the existence of this DB in the first place (!). The DPA considered the lack of organizational and technical measures and held that properly using basic security measures, such as authenticated access to the DB file only for staff members, encrypting the DB file and entrusting only authorised staff members with the encryption key, or proper monitoring of information resources, would have ensured confidentiality of the personal da